Lab Configure Basic AP Security through IOS CLI

Similar documents
Lab Configure Basic AP security through GUI

Lab 7 Configuring Basic Router Settings with IOS CLI

Lab Using the CLI to Gather Network Device Information Topology

Configuring Secure Shell on Routers and Switches Running Cisco IOS

Configuring Secure Shell (SSH)

Lab - Examining Telnet and SSH in Wireshark

Lab Configuring Switch Security Features Topology

Lab Securing Network Devices

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Lab Configuring and Verifying Extended ACLs Topology

Lab Manage AP Configuration and Image Files

Configuring Secure Shell

Skills Assessment Student Training

Lab Manage AP Configuration and Image Files

Lab Student Lab Orientation

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

CCNA 1 Chapter 2 v5.0 Exam Answers %

CHAPTER 2 ACTIVITY

Configuring Secure Shell (SSH)

Hochschule Bremen Networking Lab

ICND1. Switch Configuration Lab. All configurations have been set to factory defaults for these labs

Skills Assessment Student Practice

4(b): Assign the IP address on the Serial interface of Router. Console Cable

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Skills Assessment Student Training Exam

Secure Shell Version 2 Support

CCNA 1 Chapter 2 v5.0 Exam Answers 2013

CCNA Semester 2 labs. Labs for chapters 2 10

Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Lab Router Configuration Using Setup Instructor Version 2500

Lab AAA Authorization and Accounting

Lab - Configuring a Switch Management Address

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Configuring Secure Shell (SSH)

Lab Designing and Implementing a VLSM Addressing Scheme. Topology. Objectives. Background / Scenario

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Chapter 4. Network Security. Part II

Jaringan Komputer (CCNA-1)

1. Which OSI layers offers reliable, connection-oriented data communication services?

Lab Command Line Fundamentals Instructor Version 2500

Examples of Cisco APE Scenarios

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Lab Managing Router Configuration Files with Terminal Emulation Software

Send document comments to

Device Interface IP Address Subnet Mask Default Gateway

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Cisco Network Academy CCNA 1 Introduction to Networks

Lab Establishing and Verifying a Telnet Connection Instructor Version 2500

Secure Shell Version 2 Support

Lab Troubleshooting Basic PPP with Authentication Topology

Retake - Skills Assessment Student Training (Answer Key)

Troubleshooting Network analysis Software communication tests and development Education. Protocols used for communication (10 seconds capture)

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Lab Configuring Dynamic and Static NAT (Solution)

PT Activity: Configure AAA Authentication on Cisco Routers

Lab : Challenge OSPF Configuration Lab. Topology Diagram. Addressing Table. Default Gateway. Device Interface IP Address Subnet Mask

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

MiPDF.COM. 3. Which procedure is used to access a Cisco 2960 switch when performing an initial configuration in a secure environment?

Configuring Secure Shell (SSH)

Lab Troubleshooting Using traceroute Instructor Version 2500

Lab Student Lab Orientation

Chapter 2. Switch Concepts and Configuration. Part II

Lab Troubleshooting IP Address Issues Instructor Version 2500

Lab Correcting RIPv2 Routing Problems

CCNA Security 1.0 Student Packet Tracer Manual

Lab Catalyst 2950T and 3550 Series Basic Setup

Lab Configuring an ISR with SDM Express

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Lab Configuring Basic RIPv2 (Solution)

Lab Configuring Basic Switch Settings (Solution)

Lab 1.4.6B Implementing Port Security

King Fahd University of Petroleum & Minerals. Configuration of Routers and Establishing Routed Networks

Lab Configuring and Verifying Standard IPv4 ACLs Topology

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Configuring Security for the ML-Series Card

Lab Configuring Port Address Translation (PAT) (Instructor Version)

CISCO SWITCH BEST PRACTICES GUIDE

Console Port, Telnet, and SSH Handling

Lab Troubleshooting VTP Configuration

CCNA Security PT Practice SBA

Lab Configuring Static Routes Instructor Version 2500

CCNA 1 Final Exam Answers UPDATE 2012 eg.1

Lab Configuring 802.1Q Trunk-Based Inter-VLAN Routing Topology

Chapter 2. Chapter 2 A. Configuring a Network Operating System

Lab Well-Known Port Numbers and Multiple Sessions

Lab 5.6.2: Challenge RIP Configuration

Lab Troubleshooting RIP

Device Interface IP Address Subnet Mask R1 G0/ N/A

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

TELECOMMUNICATION MANAGEMENT AND NETWORKS

CCNA Explorer 1 Chapter 11 Configuring & Testing Your Network

Before you start the lab exercises see the lab administrator or EEE3080F tutor to get assigned to your routers.

Skills Assessment Student Training Exam

Lab Capturing and Analyzing Network Traffic

Note that you can also use the password command but the secret command gives you a better encryption algorithm.

Module 1 Basic Topology and Router Setup

Transcription:

Lab 8.3.1.2 Configure Basic AP Security through IOS CLI Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, the student will learn the following objectives: Password protect the console Scenario Define administrator accounts Configure accurate time and check firmware Configure SSH o Limit VTY to SSH o Access-list to secure SSH Disable telnet and web Students will learn to secure the AP through Cisco Internetworking Operating System (IOS). The security policy of the company mandates all devices should be locked down according to minimum standards. Also, SSH must be used for remote management. SSH is a program, similar to Telnet, which allows a network administrator to log into another computer over a network. SSH allows an administrator to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure networks. There are currently two versions of SSH available, SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented in the Cisco IOS software. 1-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

Topology Preparation Team AP Name SSID Address 1 Pod1 AP1 10.0.1.1/24 2 Pod2 AP2 10.0.2.1/24 The instructor should have a working wired network. PC1 should be connected to the wired network. Prior to starting the lab, ensure that each host PC is loaded with a SSH client. There are numerous SSH clients available for free on the Internet. The lab was developed using the PuTTY SSH client. Tools and Resources Each team will need: AP PC or laptop Console cable Additional Materials SSH client software http://www.cisco.com/en/us/products/hw/wireless/ps430/products_installation_and_configuration_gu ide_book09186a0080147d69.html http://www.chiark.greenend.org.uk/~sgtatham/putty/ 2-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

Command List In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed during the lab exercise. Command crypto key generate rsa hostname Description Generates Rivest, Shamir, and Adleman (RSA) key pairs. This command changes the APs hostname. ip domain-name ip ssh transport input Defines a default domain name that the Cisco IOS software uses to complete unqualified host names. Use the ip ssh command to configure Secure Shell (SSH) control parameters on the AP. Defines which protocols to use to connect to a specific line of the AP. Step 1 Configure basic AP settings a. Connect a Cisco rollover cable (console cable) between PC1 and the AP. b. Open a terminal emulator. c. Press return to get started. d. If there is an existing configuration on the AP, erase the configuration and reload. e. Configure the hostname, SSID, and domain name according to the Preparation table. PodP(config)# PodP(config)#ip domain-name fwl.com f. Configure a wireless PC or laptop to connect to the AP. This will be used later in the lab to test the security configuration. g. Remain on PC1 to configure the following steps. h. While in configuration mode, check the configuration PodP(config)#do show run Step 2 Configure a new administrator account One of the easiest ways for hackers to gain access to network devices is by using default usernames and passwords. a. Configure a new administrator account. PodP(config)#username cisco123 password cisco123 b. In a production environment, it is necessary to delete the old account. PodP(config)#no username Cisco password Cisco 3-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

c. Also, it is important to encrypt the passwords in the configurations if there are multiple administrator accounts with various privilege levels. By default, this is enabled on the AP 1200. PodP(config)#service password-encryption d. While in configuration mode, verify the user accounts and password encryption. PodP(config)#do show run e. Secure the console connection by requiring a password. PodP(config)#line con 0 PodP(config-line)#login PodP(config-line)#password cisco123 f. Exit out of the AP and log back in. User Access Verification Password: g. A more secure method is to require a username and password combination. Return to configuration mode and configure local authentication on the console. PodP(config)#line con 0 PodP(config-line)#login local h. Exit out of the AP and log back in using the username password combination configured in step 2a. User Access Verification Username: Password: PodP> Step 3 Configure accurate time In order to keep track on any potential attacks, it is important to maintain proper time. a. Configure the correct time. Use the help feature if needed. PodP#clock set b. Set the correct timezone PodP(config)#clock timezone [name of time zone] [offset in hours] Example: PodP(config)#clock timezone PhoenixAZ -7 4-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

c. (Optional) Configure daylight savings time. Use the help feature or command reference if needed. PodP(config)#clock summer-time d. Check the clock settings while in configuration mode. PodP(config)#do show clock Step 4 Configure MOTD and login banner a. Configure a message-of-the-day (MOTD). The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). PodP(config)#banner motd # This is a secure site. Only authorized users are allowed. For access, contact technical support. # PodP(config)# b. Exit out of the console or telnet session to check the MOTD. con0 is now available Press RETURN to get started. This is a secure site. Only authorized users are allowed. For access, contact technical support. c. Configure a login banner. This banner appears after the MOTD banner and before the login prompt. PodP(config)#banner login $ Access for authorized users only. Please enter your username and password. $ PodP(config)# d. Exit out of the console to check the banner. con0 is now available Press RETURN to get started. This is a secure site. Only authorized users are allowed. For access, contact technical support. Access for authorized users only. Please enter your username and password. User Access Verification Username: 5-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

Step 5 Verify the image file Many attacks can be prevented by maintaining the most up to date image. In order to keep up with any vulnerabilities in Cisco products go to: http://www.cisco.com/en/us/products/hw/vpndevc/ps2284/products_tech_note09186a0080132a 8a.shtml a. Are there any wireless vulnerabilities listed? If so, what are they? b. Check the current image. PodP#show version c. What version is running? d. Does this AP have any known vulnerabilities? Step 6 Configure SSH In some circumstances, attackers may be able to use a packet analyzer to intercept telnet passwords, which may enable them to gain access to the AP or other networking devices. The SSH protocol is a secure form of telnet, providing both authentication and encryption. First, begin by generating the asymmetric keys used in the SSH authentication process. Generate RSA keys a. Enter the following command in the configuration mode: PodP(config)#crypto key generate rsa? b. What are the available help options for this command? Generate RSA keys (continued) To enable SSH for local and remote authentication on the AP, enter the command crypto key generate rsa and press Enter. The AP will respond with a message showing the naming convention for the keys. c. What is the default size, in bits, of the key modulus? d. Press Enter to accept the default key size and continue. 6-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

Step 7 Configure SSH timeouts a. Configuring SSH timeouts and authentication retries is a way of providing additional security for the connection. Use the command ip ssh {[time-out seconds]} {authentication-retries integer} to enable timeouts and authentication retries. Set the SSH timeout to 15 seconds and the amount of retries to 3 by entering the following commands: PodP(config)#ip ssh time-out 15 PodP(config)#ip ssh authentication-retries 3 1. What is the maximum timeout value allowed? What is the maximum amount of authentication retries allowed? Step 8 Configure local authentication and VTY a. Use the following commands to define a local user and assign SSH communication to the vty lines: PodP(config)# username cisco password student PodP(config)# line vty 0 4 PodP(config-line)# transport input ssh PodP(config-line)# login local 1. What are the available parameters for the transport input command? Step 9 Communicating between a SSH PC (client) to AP (server) The basic settings to allow a PC and an AP to establish a SSH session are now configured. In order to establish a SSH session, launch the SSH client from the student PC. a. The configurations will vary among different SSH clients. If PuTTY is being used as the SSH client, following these instructions. Launch the PuTTY.exe file and a pane with various configuration options will open. 7-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

b. In the Host Name (or IP address) input box enter the IP address of the pod AP. Next, change the protocol to SSH. These two values must be sent to establish the SSH. To test the connection, press the Open command button at the bottom of the window. c. The SSH client will prompt for the local username and password that was previously set on the Pod AP. Enter the cisco123 for the username and cisco123 for the password. d. Was the SSH connection successful? If so, how is the prompt displayed? Step 10 debug and verify SSH Enable debugging a. Enable debugging of SSH by entering the following commands: PodP(config)#logging on PodP(config)#exit PodP#terminal monitor PodP#debug ip ssh b. SSH debug output c. Next, open another instance of the SSH client and connect to the AP. Use the correct username and password to log in to the AP. The debug output should be similar to the output below. 03:45:37: SSH1: starting SSH control process 03:45:37: SSH1: sent protocol version id SSH-1.5-Cisco-1.25 03:45:37: SSH1: protocol version id is - SSH-1.5-PuTTY-Release-0.53b 03:45:37: SSH1: SSH_SMSG_PUBLIC_KEY msg 03:45:38: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03 03:45:38: SSH: RSA decrypt started 03:45:39: SSH: RSA decrypt finished 03:45:39: SSH: RSA decrypt started 03:45:39: SSH: RSA decrypt finished 03:45:39: SSH1: sending encryption confirmation 03:45:39: SSH1: keys exchanged and encryption on 03:45:41: SSH1: SSH_CMSG_USER message received 03:45:41: SSH1: authentication request for userid cisco 03:45:41: SSH1: SSH_SMSG_FAILURE message sent 03:45:44: SSH1: SSH_CMSG_AUTH_PASSWORD message received 03:45:44: SSH1: authentication successful for cisco 03:45:44: SSH1: requesting TTY 8-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

03:45:44: SSH1: setting TTY - requested: length 24, width 80; set: length 24, width 80 03:45:44: SSH1: SSH_CMSG_EXEC_SHELL message received 03:45:44: SSH1: starting shell for vty03:45:37: SSH1: starting SSH control process d. To get an idea of the debugging process and the debugging message, open another instance of the SSH client and intentionally enter the wrong username or password. View the debugging output for failed authentication. Disable debugging PodP#undebug all All possible debugging has been turned off e. Viewing SSH sessions f. Use the show ssh command to view the active SSH sessions. g. Fill in the appropriate values of the table below, based on the output of the show ssh command. Connection Version Encryption State Username Viewing SSH parameters h. To display the version information and SSH parameters, use the show ip ssh command. i. Is the output displayed exactly as the output below? If not, what are the differences? PodP>sh ip ssh SSH Enabled - version 1.5 Authentication timeout: 15 secs; Authentication retries: 3 Step 11 AP to AP SSH Connection (Optional) Confirm peer SSH configurations. a. Verbally communicate with the peer team to ensure the peer AP has been configured to accept a SSH connection. Instead of using a SSH client running on a host computer, the AP will be the SSH client and will establish a connection to the peer AP. By default, the Cisco IOS will act as both a SSH server and SSH client. b. In order to communicate between the two APs across the wired LAN, the BVI interfaces will have to be on the same subnet. This can be accomplished by changing the masks to 255.255.0.0 on both AP BVI interfaces. One other option is to use a router between the two APs, which will route between the two subnets. Test Telnet. c. When the peer group is ready, enter the telnet command and establish connectivity with the peer AP. PodP#telnet 10.0.Q.1 (where Q is the peer team AP) 9-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

d. Was the Telnet connection successful? Why or why not? Enter SSH parameters. e. Enter the following commands to establish a SSH connection to the peer AP: PodP#ssh? f. What are the additional arguments of the ssh command? g. What encryption algorithms are available? Establish AP to AP SSH connection. h. Enter the following command to establish a SSH connection to the peer AP: PodP>ssh c des l cisco 10.0.Q.1 (where Q is the peer team AP) This command makes a SSH connection to a peer AP with an address of 10.0.Q.2, DES as the encryption, and cisco as the login username. i. Was the SSH connection successful? Verify SSH. j. Enter the following command to verify the SSH connection: PodP#show ip ssh PodP#show ssh k. What other commands could be useful to verify and troubleshoot SSH connections? Step 12 Disable web (optional) Many security policies may mandate http access to devices be disabled. If https is not available, then SSH is the second best option for secure communication to remote LAN devices. a. Now that SSH is configured, disable web access to the AP. PodP(config)# PodP(config)#no ip http server b. Open a web browser and try to connect to the AP? c. If the configuration was saved to flash, erase the startup configuration and reload the AP. PodP#erase startup-config PodP#reload 10-10 Fundamentals of Wireless LANs v 1.2 Lab 8.3.1.2 Copyright 2003, Cisco Systems, Inc.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback